Malicious PDF — malware analysis report

Static analysis result for SHA-256 12df4fb5a48593c3…

MALICIOUS

PDF

1.75 MB Created: 2009-09-15 13:36:01 +02:00
MD5: ff2d554a7640a971bb8975e7cdb1e6bb SHA-1: 64797aa6de55f95c9660f663638bfbedbfa6585f SHA-256: 12df4fb5a48593c37a4a47f678fe059b0f7427e5496809c1a11e4b05a5803e97
70 Risk Score

Malware Insights

MITRE ATT&CK
T1059.001 PowerShell T1566.001 Spearphishing Attachment T1204.002 Malicious File

The PDF file exhibits multiple heuristic firings related to embedded JavaScript, embedded files, and RichMedia (Flash) content. The presence of JavaScript actions and embedded streams suggests an attempt to execute code or exploit vulnerabilities within the PDF reader. While the document body is heavily obfuscated and unreadable, the embedded artifacts and heuristics point towards a malicious intent, likely for delivering a secondary payload or exploiting a known vulnerability. The external URI points to Adobe Reader, which could be a lure or a target for exploitation.

Heuristics 8

  • RichMedia (Flash) high PDF_RICHMEDIA
    PDF contains /RichMedia (Adobe Flash) which is a historic exploit vector (matched inside decoded stream)
  • JavaScript action low PDF_JAVASCRIPT
    PDF contains a /JavaScript action. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded JS stream low PDF_JS
    PDF references a /JS stream. Generic JavaScript is common in benign forms; specific dangerous APIs are scored by separate rules. (matched inside decoded stream)
  • Embedded file low PDF_EMBEDDED
    PDF embeds a file attachment — could carry an executable or another weaponised document as a nested payload (matched inside decoded stream)
  • External URI info PDF_URI
    PDF contains an external URL action
  • PDF differential parser failed info PDF_DIFFERENTIAL_PARSE_FAILED
    The cross-check parser (pdfminer.six) failed on this file: PDF differential parser failed: PSEOF. Static heuristics still ran and any of their findings above are valid; only the differential cross-check signal is missing.
  • Suspicious extracted artifact info EXTRACTED_FILE_STATIC_TRIAGE
    One or more files extracted from inside this sample matched static suspicious-content checks such as script obfuscation, encoded payload blobs, packed data, or execution/download terms.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://ns.adobe.com/xap/1.0/
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/sType/ResourceEvent#
    • http://ns.adobe.com/tiff/1.0/
    • http://ns.adobe.com/exif/1.0/
    • http://ns.adobe.com/photoshop/1.0/
    • http://ns.adobe.com/pdf/1.3/

Extracted artifacts 8

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_025_off000d45a8.js
3b5b723cd74709605165fa6adef9df2935bf1aa73c0aea7cd4a65e270d8aaf83		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xD45A8 1891 bytes
stream_036_off000dcc64.js
7a345e22a85b9270120c5a49ec3aaf3e3f59f542368670bacc30d2ca39fef6fa		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDCC64 550 bytes
stream_040_off000de6c8.js
dd90ed51f69335eea3c1d53a317338a37990c328740b7e96725272aac51e0431		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDE6C8 16286 bytes
stream_041_off000dfbc9.bin
80856aa83ee1b923ecf8b2cbe03ed0d3060d487cf4940578da01f1a53587f977		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xDFBC9 68089 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
stream_042_off000f04f0.bin
30994c0db15d4c1029ba6b11d86147959cae739ea56400aed11bbd0c9b3b319e		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0xF04F0 630980 bytes
stream_049_off0015ebbb.bin
b9c1cc2c2a6dc48869e14b84749d140f2f8e88d5f1129f51b28d9b7c38de164f		 decompressed-pdf-stream PDF FlateDecoded stream at offset 0x15EBBB 97241 bytes
Detection
ClamAV: No threats found
Obfuscation or payload: likely
Carved artifact entropy is 8.00, consistent with packed or encrypted content.
objstm_0104_00.bin
cc4fa4c29b0ef6c239ba7b9d11a3318581008db1aa972b5bcfa14b819b1cd429		 pdf-objstm-decoded PDF /ObjStm 104 0 obj (inflated) 14328 bytes
objstm_0106_00.bin
25f031dda767c39b54a3be0ad3dd1ad905af5bdef9f34c01a4fff8d7b1172cc1		 pdf-objstm-decoded PDF /ObjStm 106 0 obj (inflated) 8452 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.